The crypto industry has been plagued with countless hackers and scammers that continue to prey on the unaware. The fact that almost everything in our lives is digital and connected to the World Wide Web makes it easier for these stealthy attackers to access our funds.
Cellular devices have become an essential part of our lives and are increasingly being used as a secondary verification for our online identities. This has resulted in the rise of an advanced level attack dubbed as “SIM swapping.”
SIM swapping attacks requires the attacker to acquire enough information about a person to impersonate them on a call to their cellular provider. The attacker is then able to convince the representative to switch the user’s phone number to a different SIM card.
Once successful, the attacker can then use the victim’s phone number to access all confidential data. Since phone numbers are used as a verification method for almost every platform, victims risk losing all their funds as well.
Million-dollar attack in the Crypto industry
The crypto space has seen quite a few SIM swapping attacks and there is also an on-going lawsuit filed against popular cellular service provider AT&T. The lawsuit was filed by Emmy Award-winning media tech consultant Seth Shapiro back in 2019, claiming that the company’s failed security measures resulted in $1.8 million in crypto being stolen from him.
AT&T had recently filed to dismiss the lawsuit that the company was negligent in preventing the attack but U.S. District Judge Consuelo Marshall has rejected AT&T’s bid. Hence, Shapiro’s claims of negligence, negligent supervision, claims brought under the Computer Fraud and Abuse Act, and request for punitive damages remain active.
As per the court order, the first attack happened in May 2018 with an AT&T employee noting “the SIM swap activity in [Plaintiff’s] account” and assuring the Plaintiff “that his SIM card would not be swapped again without his authorization.”
Shapiro’s complaint stated, “AT&T failed to implement sufficient data security systems and procedures and failed to supervise its own personnel, instead of standing by as its employees used their position at the company to gain unauthorized access to Mr. Shapiro’s account in order to rob, extort and threaten him in exchange for money.”
As of now, Shapiro has until May 29 to file an amended complaint responding to the order.
AT&T’s second lawsuit
The telecom service provider is involved in another lawsuit where a 15-year-old hacker by the name of Ellis Pinsky managed to steal $23.8 million in a SIM-swap attack back in January 2018. The victim, in this case, was crypto investor Michael Terpin, who is requesting $200 million in compensation.
AT&T’s legal representatives have responded saying:
“Mr. Terpin ignores the undisputed fact […] that AT&T disclosed to him that it could not guarantee that third parties would not take unauthorized actions that would disclose his personal information.”
AT&T is seeking to dismiss the request for $200 million in damages.
Prevention?
There aren’t many ways to prevent a SIM swap attack, as the director of the security firm Flashpoint, Allison Nixon, has stated that a SIM Swap “ . . . requires no skill, and there is literally nothing the average person can do to stop it.”
However, one can always use a 2FA app like Google Authenticator or Authy instead of SMS text 2FA logins to prevent the attackers from accessing funds or applications protected by SMS 2FA. These 2FA services will create a security measure independent of cell service or Wifi.
Instead of receiving a text message, a user must enter a unique six-digit code that refreshes every minute. Once the correct code is entered, the user has access to the website.
